IE8 SmartScreen Filter – Protecting Users at Internet Scale

The RSA 2010 Security Conference is just finishing up here in San Francisco, and I’m struck by how many of the conference sessions and keynotes have warned about the threat that socially engineered malware poses to the security of the Internet. Malware has become the scourge of the Internet, and it’s not just the security experts who are worried—the top story in my morning paper yesterday described how a typical malware attack compromised a financial firm’s network. Our data shows that one out of every 250 downloadsis the result of a user being tricked into downloading malware to their PC.

We’re proud of the protection SmartScreen® Filter provides to protect IE8 users from such attacks, and I’d like share some of the latest numbers on our level of protection.

Since we launched IE8 in March 2009, SmartScreen has blocked over 560 million attempts to download malware, recently averaging over 3 million blocks per day! Hosted in datacenters around the world, SmartScreen’s URL Reputation Service (URS) has evaluated over 250 billion URLs to help keep IE8 users safe from malware. Even more impressively, since IE7’s Phishing Filter was introduced in 2005, the URS has processed over 5.7 trillion reputation requests in order to block malicious web sites. Every day, Microsoft receives around 300 million telemetry reports from IE8 users and processes 4.1 billion URLs looking for malicious websites and files. On the back end, our systems and analysts evaluate over 1 terabyte of binaries every day to help identify sites delivering malware.

The Q1 2010 NSS Lab’s test shows that Microsoft’s continued investment in SmartScreen is paying off. Since launch, IE8’s SmartScreen Filter has continued to improve its protection against Socially Engineered Malware threats.

IE6 and 7 don’t provide protection against socially-engineered malware. If your family and friends aren’t up-to-date, please encourage them to upgrade to IE 8 for a safer Internet experience.

While IE8 offers the best built-in protection any browser offers against socially engineered malware, you still should follow best-practices to stay safe online. For instance:

Before downloading software, consider the risks and be aware of the fine print. For example, make sure the license agreement does not conceal a warning that you are about to install software with unwanted behavior.

You can read more tips and learn about common Internet attacks over on the Security Tips blog.

However in IE, I get a dialog that offers an insecure option… (Open). This button is the first button on the dialog and is just asking for a horrible outcome.

If MSFT really cares about IE users, IE9 will REMOVE this button completely. In an age where 560 MILLION malware attempts were blocked in IE, one can only imagine how many more files are out there. Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation.

Combine this with a file download manager and there will be no issues for end users. Files are never executed automatically, yet they are easily found in the download manager and further still A/V software will instantly scan the file once it is added to the local file system (if not before).

All these are paid shills for for NSS Labs. If you read various blogs, you will notice that they are paid by NSS Labs to spread FUD and lies anywhere NSS Labs is being criticized.

The fact is that NSS Labs has failed to share their data, and there is no way to verify their claims. Combine that with blatant lies, such as Opera updating itself, and you will see that you are dealing with a deeply dishonest company which will gladly take Microsoft’s money, and then launch astroturfing campaigns to harass and silence criticism.

The funniest part here is when the paid NSS Labs shill says that Trend Micro endorses the methodology. Why would they not? They won the pseudoscientific and unverifiable test by NSS Labs, so they have no reason to question it!

@Frederico: Jesper didn’t bother to read the methodology. It’s easier to parrot the talking points of the non-IE fanboys than to actually read the report and decide what he thinks of the methodology himself.

The methodology is sound. It has been endorsed by Trend Micro http://trendmicro.mediaroom.com/index.php?s=43&item=749, Gartner, and others. Non of these are friends of MS. Google fans need to start asking Google why they continue to score poorly and refuse to offer their customers equal levels of protection from drive-by attacks as they do socially engineered attacks ( malware & phishing).

So of the sites that host this malware – what percent of it has: Active-x, JScript, VBScript, VML, or CSS expression based attack vectors?

Keeping in mind that if 75% of these sites use these non-web-standard attack vectors all the other browsers (Firefox, Safari, Opera & Chrome) are all immune to them by design!

Combine that with the social angle.

Statistically, IE users are less technical and knowledgeable about the Internet and the dangers that lie within.

IE users are more likely to click on dialogs and grant permission to infectious files, download shifty codecs/licenses for windows media player because the porn video they downloaded "claims" it needs it.

an IE user that has not yet learned there are better browsers out there is not likely going to recognize spoofed behavior like a faked yellow security bar that actually initiates the malware download that non-IE users would spot right away as bogus!

Installing a non-IE browser as the default browser on all my families computers was the best thing I ever did. tech support calls dropped by 90% overnight.

If you don’t agree with the above article, take a look at blog by Trendmicro from about a year ago, where they determined only 20% of malware is installed through exploits. They said the vast majority of malware installations can be traced back to a socially engineered attack.

Please don’t throw out SWAG percentages as fact. It does nothing but harm your argument. Also don’t get me wrong, I am not an IE zellot, I just believe in an honest factual discussion.

Believe me. When Google or Firefox or Non-IE browser score well than IE, then all the people that against this report now will embrace it, praise the standard/methodology in this malware test as unbiased, and bash IE for less secure.

This is life. All the Microsoft haters sitting out there, waiting for any chances to spread the FUD.

That is why IE8 is getting so much negative publicity while being quite good browser overall.

Also, there doesn’t seem an easy way to check site for blacklist status (without visiting it), like you can with google, mcaffe or norton services. And without open side-by-side comparison there will always be complaints about biased researches, evil microsoft and

If you plan to publish the full results of the next security tests that are done that are not sponsored by Microsoft then great! Otherwise do not post the results of a sponsored test. It does nothing for your credibility other than undermine it.

Tina, if you plan to post a comment that adds to the conversation in a meaningful way, then great! Otherwise, please do not post your comment, as it does nothing for the reader other than waste their time.

"Also, the test included Phishing, Clickjacking, and so-called “drive-by downloads” (where the web page contains an exploit against a browser and the payload of that exploit is malware that is automatically installed)."

Then

"It did NOT cover Phishing, so-called “drive-by” exploits/downloads, or Clickjacking."

You speak of what not you know. Have you called NSS and asked for the data. I know people at Google and Safari were offered the data. According to Opera’s website, the last time I looked, their one published source from Malware is defunct as a data source (Haught Secure).

Safari, Google, Firefox and OPERA, have never officially disputed the test results or the methodology. Haavard goes out of his way to say his blog is personal opinion and not an official Opera blog.

As for funding, according to what I read, all the browsers were offered to split the cost of the test, but they declined and have never done a competitive test to counter the test.

Now don’t get me wrong. My browser of choice is FF. I like it’s speed, customization, ad blocker, no script, and plug-in model a lot better than any other browser. But I do wish MS allowed other products to use their protection from socially engineered attacks like Google does.

NSS Labs have taken on board a lot of the community feedback about being more transparent with their methodology and I think the latest report reflects that.

They start with more than 12,000 suspicious URLs which are gathered from “honey pot” e-mail addresses and scanning sites known to deliver malware. Many of these URLs are already “down” by the time NSS Labs first hit them. Others do not pass validation, for example they aren’t providing socially engineered malware which is what this report is testing.

NSS Labs are producing a unique report which focusses on testing real, live socially engineered malware. It’s expensive and complex to build the infrastructure to do the testing and I suspect that’s why there aren’t other reports available. Because the test is against live threats, by this point a month later many of the URLs have gone dead reflecting how quickly the landscape changes. I’m not sure what we’d learn from looking at a list of now defunct URLs.

I’d welcome a community or competitor driven effort to provide another report that could corroborate – or not – the findings in NSS labs study against live or socially engineered malware.

People quote HAAVARD as the official Opera dispute of the test, even though according to his website "Even though I work for Opera Software, the opinions stated herein do not necessarily represent those of my employer". Opera, Chrome, Firefox, nor Safari have come out disputing the NSS test results or methodology. Don’t you think if they trully disagreed with the results they would have made an official statement? This is the third-time MS has released the study, and all we here from them is silence.

Has there been another test from a different independent test org that contradicts the NSS test?

If not NSS, what test org is qualified to do an in-the-wild phishing and malware test?

When I search the web looking for NSS’s reputation, I see a lot of positive stuff from people who do not have any skin in the browser game

hello>> I don’t know what doc you’re reading, but both of the Q1 2010 PDFs from NSS clearly state that they don’t include "clickjacking" attacks. (The term "clickjacking" is misused here anyway: NSS means "drive-by attacks" where they say clickjacking.)

(I’m breaking this into segments as this blog is refusing to accept the entire message without filtering it)

(con’t)

…I’m just curious – as the latter (b) URL’s should only be held up to testing against the browsers that have said holes/behavior.

e.g. if Chrome/Firefox do not block page ‘X’ because they do not contain a flaw that would allow the download of malware file ‘Y’ – then that should not count as a strike against Chrome/Firefox as they are already safe from this malware by design.

Are there any statistics on the urls to indicate how the malware would get downloaded? I think this is a very important piece of the security puzzle that should not be overlooked.

Ok, so we have IE 8 which is good at blocking bad sites, or every other browser which follows W3C standards. Hmmm, which browser should I use… I know, I’ll use Opera because it’s fast, follows standards, has a built in mail client, scores 100 on Acid 3, is skinnable and has a download manager. I’ll use my own common sense to judge the validity of a website. If I keep my anti-virus up to date, I’m sure I’ll be fine. Oh, no! But wait a minute! My AV isn’t up to date… in fact, I don’t have any installed! I use Linux 🙂

@further: In the context of this study, "Drive by attack" or "drive by download" means "attempted exploit of a browser vulnerability to get code execution." As you noted, trying to benchmark those would not be reliable because of cross-browser differences.

The NSS studies, in contrast, measure socially-engineered malware, which is a different class of attack wherein the user is mislead into downloading and running a malicious program; no browser exploits are involved– the attacker takes advantage of the user, rather than a technical vulnerability. Such attacks work the same way across all browsers, which is one of the reasons why they are popular.

@Phil: As noted in the post, SmartScreen has blocked 560 million malware downloads in just one year, suggesting that either social-engineering attacks can defeat "common sense", or that "common sense" is perhaps not as "common" as one might hope.

Yes, that is but one of the examples of cherry-picking. The other one is the reduction from 12K to 500 pages, and something like 50 sites! Wow.

"The NSS studies, in contrast, measure socially-engineered malware"

Cherry-picking again.

Also, NSS Labs does not test whether the browser actually blocks it or not. For example, Opera fetches the requested document while at the same time checking the fraud list. If the document is found to be fraud, it will be blocked, even though a request has already been sent.

"Cherry-picking again" — they are measuring exactly what they’re advertising their test to measure. If you have a problem with that, it’s not that they are "cherry picking" it’s "I don’t like the premise behind your test. I don’t believe socially engineered malware is as important as you do."

"False positives." — wrong again. IE also downloads and performs checks in parallel. NSS says their test measures whether the block occurs, not whether a download occurs. Opera has miserable results because they have no antimalware data. Their phishing data is the weakest of the browsers as well.

@Eric MSFT – valid point. However, I was referring to -my own- common sense, not the average user, who generally don’t have any at all. I know how to check site certs, I know how to validate links etc. To be honest though my surfing is generally limited to probably less than 30 different websites (although they have very dynamic content) and I trust them enough to NOT be rooted and loaded with malware. I’d never expect Joe User to be able to test for things like invalid SSL certs – which is one feature I really do like in IE8, it’s very good at getting in your face and telling you the site has issues.

I was being flippant about the Linux thing – which I do use – that was just me taking a cheap shot about being maybe a little more secure than the average Windows user 😉

When I goto a site that pushes a download on me e.g. download.cnet.com in Firefox a dialog pops up asking me where I want to SAVE the file.

This is the safe, responsible thing to do with the downloaded file.

However in IE, I get a dialog that offers an insecure option… (Open). This button is the first button on the dialog and is just asking for a horrible outcome.

If MSFT really cares about IE users, IE9 will REMOVE this button completely. In an age where 560 M-I-L-L-I-O-N malware attempts were blocked in IE, one can only imagine how many more files are out there. Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation.

Combine this with a file download manager and there will be no issues for end users. Files are never executed automatically, yet they are easily found in the download manager and further still A/V software will instantly scan the file once it is added to the local file system (if not before).

"Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation"

I am curious at such assertions – this isn’t a client based signature list but a server based signature list. Since all you have to compare is a hashed key on the server it scales much better than, say, normal search results (which obviously can scale, i.e. google, bing, etc). The weakness in the blacklist is that there is a lag time between a new malware signature and and updating of the malware index that MS maintains, but that is a seperate problem from the issue of scaling the size of the index.

Per the "how much of this is an IE specific attack so it doesn’t matter", such arguements are pretty outdated. IE expliots are worth a lot less than the used to be, as Flash, Quicktime, and Acrobat are the new primary targets of web based exploits (all three have greater market penetration than IE these days, are much more fruitful hunting ground for vulnerabilities, and neither Adobe nor Apple had an equivelent SDL to Microsoft). Additionally, exploits are not the primary delivery vector on the client – socially engineered trojans are. Finally, trusting that you can spot a phishing/malware site is not a sound assumption anymore – a good deal of malware is hosted on otherwise legitimate sites thanks to the rise of SQL Injection worms. It isn’t 2001 anymore folks, and operating under the assummptions from 9 years ago is not a sound decision.

So, I’ve been very impressed with IE8’s security. If they maintain this good security(or improve it evven better!) with IE9, and also give it good web standards support and overall browsing/page-loading performance, then I may actually use it as my main browser.

Actually, when you press "Open", the file is still downloaded to a temporary location on your harddisk, so your AV would still scan it before it has any chance to execute. So there’s really not that much difference in terms of security between selecting "Save" first then manually double-click it to open, and just selecting "Open" right away. The only advantage of "Save" is that you can choose a location to permanently store it for later use, instead of just downloading it to a temporary location and just run it once. But it’s not any more or less safe than just "Open".

Actually, MOST attacks these days are NOT exploiting browser vulnerabilities, only the most elite attackers have the intelligence and resource to conceive such attacks. The average attackers will just make a page and put a download link that says "download this and run it and your credit card will have 100 more dollars", things like that. And for those common attacks, what kind of browser you use doesn’t matter, since every browser provide the functionality for people to download and run things from the internet.

As for your second point, it is valid, non-IE users are usually more techie than IE users, I myself use Opera most of the time, and non-IE users are usually more security-aware, I met many IE users who don’t install any AV on their system, while non-IE users all have some kind AV installed or use Linux/FreeBSD, or both 😉

But then they are testing the browsers, not the browser users, so it’s kinda irrelevant to talk about how techie the users of a certain browser are. And for your last part, I highly doubt installing non-IE browsers on your family computers can magically make your family members more techie unless you educated them about computer security at the same time. After all, it doesn’t matter whether they are using IE or Opera or Firefox or Chrome or Safari to download an executable file that says "click me and you’ll see a nice firework show", so just changing the browser itself doesn’t really stop them from being vulnerable to the vast majority of malware attacks out there.

The only thing that can protect someone from malware attacks is to educate him/her about internet security, not just changing the browser he/she uses. Opera surely has much better web standards support than IE, that’s for sure, but Opera does NOT have any better protection against malware downloads, and I don’t think people can truly rely on browsers to protect them from malwares anyway, what they need is some real AV software and a brain better suited to this internet age.